[thelist] PHP Session ID stopping HTML validation

john at johnallsopp.co.uk john at johnallsopp.co.uk
Fri Mar 31 04:29:50 CST 2006


> Ian Anderson wrote:
>> john at johnallsopp.co.uk wrote:
>>>It's the fact that PHP puts its session id field straight after the
>>><form> tag that's stopping the page from validating.
>> Is this some additional module, or some php.ini switch, then? I use
>> cookie-based session handling in PHP
>
> This is session.use_trans_sid[0]. A moderate security risk to use it,
> and generally just an irritating "feature" in most situations. Must
> have
> had some use for someone with access to the PHP core, way back when.
> Most hosts have this disabled for good reason.  If you're on Apache, I
> suggest making sure you have this in your .htaccess file:
> php_value session.auto_start 1
> php_value session.use_trans_sid 0
> php_value session.use_cookies 1
> php_value session.use_only_cookies 1
> Otherwise, make sure you use ini_set() to at the top of your script.
> If
> you want cookie-disabled UAs (most commonly spiders and scrapers) to
> be
> able to carry a session (?!?!?) toggle that last one.
>
> [0] http://us3.php.net/manual/en/ref.session.php
> --
> Max Schwanekamp

Thanks Max. I need to understand this before I act on it I think ..
back to a bit of study :-)

Cheers
J




More information about the thelist mailing list